Win.Exploit.CVE_2015_0005 FOUND

[Racheltjie de Beer]

Problem
Not so much a problem as a learning experience.  I think I found malware on my Windows partition and would like to statically analysis it.

Background
I scanned my laptop a while ago, from my Linux partition using Clamav.  Clamav picked up a few malware infected files on the windows partition.  So I boot up in Windows and ran a slew of malware removal tools (Malwarebytes, JTR, etc).  Avast never picked up any malware.

Things I have tried
Then I started reading the tutorials on EZ (not because of the above).  I started with Deque's tutorials and it made me wonder. So I ran the scan again and found:

Code: [Select]

/media/Data/Python35/Scripts/smbrelayx.py: Win.Exploit.CVE_2015_0005 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4238654
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.06 MB
Data read: 0.04 MB (ratio 1.78:1)
Time: 5.719 sec (0 m 5 s)

Ooh, I thought, lets use my mad skills (from reading only two tutorials) and crack open this puppy. But wait, I told myself, think first!  Lets see what we are dealing with here before I do anything.

So I DDG (Search) a bit and found SMB Relay Demystified and NTLMv2 Pwnage with Python. Which, after reading, I found that it was developed to do SMB Relay attacks.

I also search for info on Win.Exploit.CVE_2015_0005 and found a lot of sites reporting the same (as Vulnerability Center):

Microsoft Windows multiple versions in vulnerable to remote spoofing attack in NETLOGON due to improper establishment of a secure communications channel belonging to a different machine with a spoofed computer name.

Questions

• Is my assumption correct; that it is an intentional exploiting script and clamav is over reacting?
• Is there possibly malware embedded in this exploiting script?

Regardless, I'll first work though a few tutorials (to gain knowledge and confidence), read up more and then take a look at smbrelayx.py – if it is malware...

[Deque]

Hi Racheltjie de Beer.

It is a python script. It should not be too hard to analyse. Although exploits can be hard to understand, because usually you won't find detailed information about them.

The folder /media/Data/Python35/Scripts/ looks more like the file was placed by the user than by an actual malware.
And searching the name leads me here: https://github.com/CoreSecurity/impacket/blob/impacket_0_9_13/examples/smbrelayx.py

Code: [Select]

This module performs the SMB Relay attacks originally discovered
# by cDc. It receives a list of targets and for every connection received it
# will choose the next target and try to relay the credentials. Also, if
# specified, it will first to try authenticate against the client connecting
# to us.
So yes, this is a tool for "hacking", or grayware as we would call it. AV's may or may not detect these tools, no matter if they are infected or not.

On a sidenote: ClamAV produces lots of false positives, I do not recommend it.

If you need a proper checkup of your system, let me know.

[Racheltjie de Beer]

Hi Deque,

Thank you for your response and inputs.

On a sidenote: ClamAV produces lots of false positives, I do not recommend it.

What would you, personally, recommend for Linux?

If you need a proper checkup of your system, let me know.

Thank you.  I've followed the steps https://malwaretips.com/blogs/remove-popup-ads-windows-10/ on all my own PC's and they seems clean now.  Now just to get the Mother-in-law to stop clicking on banner add 

[Deque]

What would you, personally, recommend for Linux?

Most major AV products are now available for Linux. If you choose Bitdefender, Avast, AVG or Avira it should be much better than ClamAV.

[may1]

Also recommend Kaspersky Anti-Virus for Linux File Server .